Has anyone else experienced this? I upgraded by Orbi to 2.2.1.210 - everything seemed fine. I have a guest network (with a password) that I leave disabled and only enable when we have a guest. It is also set to not allow access to my LAN.

A few days after upgrading I noticed that my guest network was active with NO PASSWORD and it could access my LAN. I logged into the Orbi console and it was still set to disabled, but it was broadcasting and I could connect to it with no password. The only way to turn it back off was to turn the guest network on and off again.

This is a serious security flaw! I now have major concerns about the security of this device which I've had no problems with for over a year.

I just noticed this today. I have never set up the Guest network to use or turned it on yet! I suddenly realised there was a lot of devices connected that I could not work out who they were in the household or the device! Then realised on my laptop that NETGEAR-Guest was broadcasting totally open! argh!

I logged into Orbi and enabled guest network and added a password to secure it, I then turned it off! It was now secured but still broadcasting. I then reset the Orbi and it's vanished! phew! Iam not sure if it will turn itself on again but I recommend setting a password for it, turn it on and then off. The whole time the Orbi status said that the Guest Network was not enabled apart from when I turned it on to secure it. So it was broadcasting and turned on all by itself!

I have already fixed it as I described - namely, by turning the guest network on and back off again.

I was however, highlighting the issue that this may happen when the firmeware is updated and it shouldn't happen. It was pure chance that I noticed this and my network had been completely open for several days as a result.

I have already fixed it as I described - namely, by turning the guest network on and back off again.

I was however, highlighting the issue that this may happen when the firmeware is updated and it shouldn't happen. It was pure chance that I noticed this and my network had been completely open for several days as a result.

Stop asking customers to do factory reset and other time wasting procedures that is not part of the instruction from Netgear themselves and hoping that it fixes something. Netgear should be the one doing the testing with new firmware releases to ensure integrity of previous configurations during upgrade. I think you might think that is helpful, but plenty of customers have wasted some many hours of their time doing unnecessary resets.

Stop asking customers to do factory reset and other time wasting procedures that is not part of the instruction from Netgear themselves and hoping that it fixes something. Netgear should be the one doing the testing with new firmware releases to ensure integrity of previous configurations during upgrade. I think you might think that is helpful, but plenty of customers have wasted some many hours of their time doing unnecessary resets.

The fix mechanism is not the issue here. Any firmware update should not change the settings on the router such that it is then in an insecure state; in this case - a secure router with a password set on the guest network and the guest network turned off, was following the update, left with the guest network ON and not requiring a password.

The firmware update was succesful, there was no indication that there were any issues. This shouldn't and must not happen when a firmware update is applied to a device.

I discovered this too. Also have the latest firmware. V2.2.1.210. I am upset by the idea of strangers logging on to my network and rummaging through my private data. I am really disappointed and my confidence in the Netgear brand has been severely shaken. How can such a critical bug been allowed out in the wild? Wow! Treating their customers badly. The least this company can do is own up to it...

I use a spectrum analyzer every now and then to see if my wifi has any interference with neighbors, etc.

Noticed for a couple days that a very strong signal called 'NETGEAR-Guest' had the same signal strength as me and I thought it was a neighbor.

After walking around trying to find the signal I determine that it had to be in my house.

I thought something was weird, so I went to the mobile app and it showed as disabled. In the mobile app, I enabled guest, hit save, then went and disabled guest and save and the guest ap then disappeared.

I wonder how many people out there have a guest signal open and don't even realize it, this seems very bad and I have no idea how this got enabled.

I had a similar issue and it turned out the satellite was connecting via the backhaul and needed a firmware reset along with a forced sync to the base. Certainly wasn't expecting that, but can imagine it's probably happening to a lot more folks who just expect to plug this up and not check all the settings.

I had a similar issue and it turned out the satellite was connecting via the backhaul and needed a firmware reset along with a forced sync to the base. Certainly wasn't expecting that, but can imagine it's probably happening to a lot more folks who just expect to plug this up and not check all the settings.

@ja6a wrote:I would like to publish this as a security incident. Not sure about that process... It would be good to get the wider community involved.

My system had this issue once. Turns out the errant guest network was coming from one of the satellites. A power-cycle resolved the issue. It's a bug for sure, but it was not much of a security issue, because connecting to the guest SSID provided no IP address to the computer and no network access.

What is strange is that the only thing that did sync after the satellite rebooted and came back online was the router password, unfortunately nothing else sync'd.

I can certainly confirm that if you have it setup and operational - then decide to change the wireless settings - the satellite will not automatically get those settings and will continue to broadcast the original wireless networks and passwords. What's also frustrating is that you can't remotely reboot the satellite. However, you can upload the firmware again and that will trigger the reboot. I never got the Sync buttons to work unless the satellite was in factory default mode and right next to each other (even though the satellite shows up as connected via backhaul on the router's attached devices).

So for me - if I make a WiFi settings change (pw or SSID) - then it won't sync unless i reset the satellite to factory defaults - but the router password will. In your case, maybe the satellite received an initial configuration with an open guest password before a password was set. That would explain having the open network - which I recall having when I first set this up - but just chalked it up to initial setup issues and then did a factory reset after all the settings were completed in the base.

It's a bug for sure, but it was not much of a security issue, because connecting to the guest SSID provided no IP address to the computer and no network access.

Well, if the satellite is connected via ethernet backhaul to the base - then it will allow those devices to connect and be handed off to the base for connectivity into the network. If you look at the connected devices on the base - all of those devices from the satellite appear as wired (via the backhaul).

It's a bug for sure, but it was not much of a security issue, because connecting to the guest SSID provided no IP address to the computer and no network access.

Well, if the satellite is connected via ethernet backhaul to the base - then it will allow those devices to connect and be handed off to the base for connectivity into the network. If you look at the connected devices on the base - all of those devices from the satellite appear as wired (via the backhaul).

No. As I wrote, my computer did not receive an IP address from the rogue guest WiFi. With no IP address my computer had no connectivity to the satellite (and thus no connectivity to any part of the network.)

Then maybe our configs are different.Are you in router or AP mode?I'm in AP mode and not using orbi for dhcp. Remember, just because you didn't get an IP doesn't mean you didn't authenticate and were connected to the network. You could still statically assign yourself an IP and access the LAN.

Hi all,Just wanted to add that I ran into this today too. I'd been adding a new Netgear modem/router (DM200), and configuring my Orbi wi-fi settings etc (although not for the guest network), when I noticed an unsecured ORBI-Guest network. I was shocked to discover that it was my Orbi, even though I had made no changes to the guest network settings whatsoever, and the checkbox was unchecked in the admin page! Enabling it then disabling it, and rebooting the Orbi (via the admin page) made no difference.

In the end I had to power off my satellite (RBS50), after which the guest network disappeared.This is a major security flaw, and should be addressed as a matter of urgency by Netgear.

This just happened to me tonight. I came home and was working on a CradlePoint and I noticed the Netgear-Guest network in my list. I click and attach to it and get an IP address. I'm then able to surf the internet. I pull up my port scanner and scan the subnet but I don't find anybody else. I wanted to know who had a wide open network so I did a reverse lookup and what do you know, it was my f-in IP address, blew me away! I went and checked the settings and sure enough it showed disabled while in fact it was enabled. I changed the guest network name and rebooted and it looks OK now, but this is a major security issue. I am running version 2.2.1.210 and have 1 satellite (likely not for much longer).

Did you manage to get it published? This is indeed a pretty nasty security hole in the firmware and given that it's still the active firmware in use at this time, broader communication about it world definitely be a good idea.